0 votes

I've created new Adaxes instance (23.2) in my test environment. I've added managed domain of "cloud domain" type and connected this tenant via Microsoft 365 cloud services option in Adaxes console too. I've used app registration to authenticate and granted all requested permission/roles to it.

In my Azure tenant I have two users AADDS Test User which is set as a manager of the AADDS_TestUserinek. image.png

But when I log using AADDS Test User credentials I am unable to change any properties of the AADDS_TestUserinek. I don't even see him under "My managed objects" section, I only see him under "My team" section. image.png

I've modified Forms and views according the tutorial too image.png

What am I missing?

by (960 points)

1 Answer

0 votes
by (294k points)

Hello,

The behavior is expected as the My managed objects pain only displays the objects that have the logged on user as their owner. Owners are set via the Managed By property which users do not have.

Also, Microsoft Entra users cannot log in into Adaxes at all. You are still logged in as the on-premises AD user.

0

OK, so is it somehow doable to let our cloud only users to manage other cloud only resources (users, groups,..)?

I forgot to add that currently we are a hybrid environment (accounts hosted on-premises and synced to Azure), but we are planning to migrate to cloud-only scenario. But what we like to retain is Adaxes for letting our users to manage Azure groups etc.

Because Adaxes requires Active Directory domain we thought we will host it using Azure "Microsoft Entra Domain Services" (aka AD hosted in the Azure). This basically means that our cloud only users/groups/... will be synchronized to this Azure hosted AD, where also Adaxes will be installed. This way users would be able to log in to Adaxes service.

So the question is, is it possible to somehow let our future cloud only users connect to the Adaxes via their synchronized Azure-AD accounts, but manage cloud only assets at the same time?

I can imagine some sort of linkage between synced account and the original Azure-AD account that gives the user permissions over the cloud only assets where such Azure-AD account is manager?

Or what is the supported scenario for cloud-only environments that want to leverage Adaxes?

Thanks!

0

Hello,

As we mentioned in the previous post, currently, cloud accounts cannot log in into Adaxes. As such, they cannot manage anything or use any Adaxes functionality at all. The feature is in our todo list, but there is no ETA yet.

0

Thats why I've asked whether there is some other way around. For example by using local AD user that will be somehow linked to its cloud counterpart.

So I assume there isn't :(

0

Hello,

Such a link is possible, but not for cloud-only users. If you have both the on-premises user and the cloud user that are synchronized managed in Adaxes, it will work fine. Still, users would not be present in the My managed objects pane. They only have the Manager property, not the Managed By one. As an option, you can use a built-in report, Subordinates of user. By default, the report is located in container Reports\All Reports\Users\Managers and Subordinates.

0

Not sure I follow. Now you are talking about classic hybrid scenario where users are synced from AD to Entra ID. But that doesn't apply for our imaginery "cloud-only" scenario where we have Azure hosted AD only to be able to log in into the Adaxes, but the source of the users is in Azure?

So long story short, for our scenario we have to create custom commands for every action we want our users to have. Plus make some logic in our custom commands to specify who is allowed to do such action on specified object.

0

Hello,

That is not quite what we meant. Here is an example:

  • You have both on-premises AD and Microsoft Entra ID domain registered in Adaxes
  • There is user John Smith that is synchronized and has accounts in both on-premises AD and in Microsoft Entra ID.
  • There is user Jane Doe that only exists in Microsoft Entra ID and has John Smith set as manager.
  • If John signs in to Adaxes with their on-premises AD account, the Subordinates of the user report will include Jane Doe.
  • John can click Jane’s account, view it and manage according to the permissions granted by Adaxes security roles.

If you face some issues, please, provide the steps you perform with screenshots and describe the desired behavior in all the possible details with live examples.

0

As I said, you are talking about classic hybrid scenario, but situation where Azure "Microsoft Entra Domain Services" (aka special kind of AD hosted in the Azure) is used, instead of on-premises AD, is a little bit different. And that is the environment I am talking about, where users are synced from Azure to Azure-hosted-AD, and such users are unfortunately unable to modify cloud only users as per my testing. Because these synced accounts used for logging to the Adaxes aren't linked to the parent (Azure) ones or something like it. Therefore don't have permissions over the cloud accounts even though manager is correctly set (to the cloud-account-version).

0

Hello,

That was just an example. Synchronization is actually not required for Adaxes to make that thing work. All it needs is to be able to match the on-premises AD account with the Microsoft Entra one. It is an Adaxes internal process not related to the synchronization. After that you only need to be able to see the corresponding accounts in Adaxes. As such, the described behavior should work just fine with Microsoft Entra Domain Services. If you do not have it working. Please, describe the configuration you have in all the possible details with screenshots. Also, please, provide screenshots of the security roles you created. You can post the screenshots here or send them to us at support@adaxes.com.

Any additional detail will be much appreciated.

Related questions

0 votes
0 answers

Hi all Primary objective is to manage cloud only group membership but in a future include cloud only accounts. I've registered a Azure domain which is managed by ... /www.adaxes.com/questions/12293/add-to-365-group-automation-for-new-account-creations Thanks

asked May 31 by MinorDruid (20 points)
0 votes
1 answer

I'm currently writing an "After User Creation" rule and I have a PowerShell script that adds the newly created, on-premises synced user to a handful of cloud ... powershell cmdlet that fails. I need to use PowerShell for the additional condtional flexibility.

asked Dec 13 by smcfarland (60 points)
0 votes
1 answer

Hi When reading the REST API documentation it does not mention working directly against Azure AD and Exchange Online. Will this be added? Thanks /Peter Sonander

asked Jan 26, 2023 by Sonander (40 points)
0 votes
0 answers

Starting from Adaxes 2023, you can manage Azure AD users, groups, and resource mailboxes that are not synchronized with an on-premises AD domain. However, having a registered ... the entire Azure AD domain in the scope of your Microsoft 365 tenant in Adaxes.

asked Feb 16, 2023 by Adaxes (560 points)
0 votes
1 answer

We use DirSync/AAD Connect (without write-back) and we have some users that use email in the cloud and never authenticate to the on-prem domain controllers. Therefore, we ... has found which one might work the best in an Adaxes scheduled task for example.

asked Jan 31, 2018 by yourpp (540 points)
3,589 questions
3,278 answers
8,303 comments
548,116 users